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YOU ARE 
FROM ME .NET! 


<< COUNTERCEPT 


Attack detection blogger © 


FOUR THINGS ABOUT MYSELF 


Threat Hunter @ Countercept 


Code junkie Netflix addict 
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THE AGENDA 


<< COUNTERCEPT 


IN THE NOT SO DISTANT PAST 


VBScript 


n 


= | 
PowerShell — Office Macros 
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POWERSHELL, A НОТ FAVOURITE 


Load shellcode Call upon Call upon 
into memory .NET API native API 
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DEFENCES ARE GETTING BETTER 


Parent-Child Process Relationship 


Command Line Arguments Logging 


<> . sl 
CommandLine powershell write host “This is an evil command” SS 
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DEFENCES ARE GETTING BETTER 


AMSI assisting Anti-Virus with script-based detection 


PS C:\Users\Wee-jing> 


PowerShell Script Block Logging to aid with detection 


Event 4104, PowerShell (Microsoft- Windows-PowerShell) 


General Details 


Creating Scriptblock text (1 of 1): 
Write-Host "| wouldn't want to call DeviceloControl here 


ScnptBlock ID: 47134717-495f-4d04-8609-f6ad99533fbd 
Path: 
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INDUSTRY AS A WHOLE 


More opportunities to 
detect bad PowerShell 
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ADVERSARIES JUST DON'T GIVE UP 


Invoke .NET directly 
instead of via PowerShell 
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WHY .NET THOUGH? 


መ 
— 
«ке d 


Lack of 
telemetry 


ча 


Powerful Installed by 
functions default 
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LET'S COMPARE POWERSHELL AND .NET 


POWERSHELL VS .NET DEMO 


File Edit View VM 


© m 


Recycle Bin | Presentation 


9 


cyberchef.... 


Tabs 


O Type here to search 


Help 


- 


Clipboard 


› Presentation PowerShell vs „МЕТ 


Ж Quick access 
ЕП Desktop 
À Downloads 


FI NET.hta 
ГІ powershell.hta 


=| Documents 

=] Pictures 
compliance-worksF 
IDA files 

5 Music 
PowerShell vs NET 


ጫጨ OneDrive 
ЕШ This PC 


gë Network 


2 items 


B m ss : 9 


To direct input to this VM, move the mouse pointer inside or press Ctrl+G. 


FH Select all 
Select none 
Properties 
- ©) History 


Open 


ዶም ሖ c фу 
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11:42 PM 
5/15/2019 = 
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POWERSHELL VS .NET 


Е PowerShell execution 


Say Hello to PowerShell 
Click here to execute Powershell code 


Say Hello to .NET 
Click here to execute .NET code 


tt À 


HOW DID | al метод». Ў 
JA | 
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hom 
VW In-memory 
| assembly loading 
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IN MEMORY .NET ASSEMBLY LOADING 


De-serialize 


Instantiate 


A FUN FACT 


using MyAssembly; 


Program newProgram = new Program(); 
newProgram.main(); 


This does exactly the same thing 
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WHAT CAN THE LOADED OBJECT DO? 


an | Load shellcode 


into memory 


Call upon .NET API 


Call upon native API 


\ 4 V 


MID-POINT CHECK 


se» Similar to PowerShell 
=> Lack of telemetry 


Challenge: Can we detect this? 
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THE AGENDA 


...... WITH PROCESS HACKER 


፲ጆ Process Hacker [DESKTOP-KM99ITG\Wee-jing] 


Hacker View Tools Users Help 


2%, Refresh 222 Options | Ё Find handles or DLLs 52“ System information | С) [3 


Processes Services Network Disk 
Name 


м [E] System Idle Process 


ã2] Memory Compression 
Interrupts 
Registry 
csrss.exe 
wininit.exe 
csrss.exe 
winlogon.exe 
fontdrvhost.exe 
a| dwm.exe 
У m explorer.exe 
В MSASCuiL.exe 
vmtoolsd.exe 
ጨ OneDrive.exe 
© chrome.exe 
У ША cmd.exe 


ІН mshta.exe 
፳ ProcessHacker.exe 


25 GoogleCrashHandler.exe 


25 GoogleCrashHandler64.exe 


VO total... 


Private b... User name 


56 КВ NT AUTHORITY\SYSTEN 
192 kB NT AUTHORITY\SYSTEN 
524 kB 

32 kB 

0 
824 kB 
1.7 MB 
1.37 MB 
2.03 MB 
249 MB 
3.54 MB 
119.07 MB 
46 MB 4 Wee-jing 
1.92 MB \Wee-jing 
18.16 MB 
25.68 MB 
131.91 MB 
3.24 MB Wi 
4.5 MB 
20.45 MB 
16.21 MB 
1.68 MB 
1.65 MB 


Process Hacker 


Description 


NT Kernel & System 
Windows Session Manager 


Interrupts and DPCs 


Client Server Runtime Process 
Windows Start-Up Application 
Client Server Runtime Process 
Windows Logon Application 
Usermode Font Driver Host 
Desktop Window Manager 
Windows Explorer 

Windows Defender notificatio... 
VMware Tools Core Service 
Microsoft OneDrive 

Google Chrome 

Windows Command Processor 
Console Window Host 
Microsoft (В) HTML Applicati... 
Process Hacker 

Google Crash Handler 

Google Crash Handler 
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8 ^ NET execution 


Say Hello to .NET 


Click here to execute .NET code 


Mshta.exe 
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DETECTING .NET LOADED DLLS 


mshta.exe (2012) Properties 


General Statistics Performance Threads Token Modules Memory Environment Handles .NET assemblies .N 


Base address ize Description 
Ox6af00000 B Microsoft .NET Runtime Execution Engine 


mscoreei.dll 0x6ae80000 500 kB Microsoft .NET Runtime Execution Engine 
| mscorlib.ni.dil 0x69040000 19.59 MB Microsoft Common Language Runtime Class Library 


Loading of .NET runtime DLLs can be observed 
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DEFINITELY DO „А ^ ww m 


m: 
Al MSHTA typically 
EK only runs HTML or 
+ 4 JavaScript code! 
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HOLDS TRUE FOR OTHER BINARIES 


“I LI LË 
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WHAT IF A BINARY RELATED TO .NET WAS USED 


N Msbuild.exe 
ER 3rd Party Application 


Not uncommon to have .NET 
runtime DLL 
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WE NEED SOMETHING BETTER 


And the answer lies deep 
within Process Hacker 
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.NET ASSEMBLIES 


ጆግ mshta.exe (8332) Properties — n 


General Statistics Performance Threads Token Modules Memory Environment Handles МЕТ assemblies „NET performance GPU Comment 


Structure ID Flags Path 


Y CLR v4.0.30319.0 63 CONCURRENT GC, ComActivated 


YV AppDomain: DefaultDomain 174694... Default, Executable 
MyAssembly 174653... 
System 174651... Native 
System.Xml 174652... Native 
Y AppDomain: SharedDomain 179115... Shared 
mscorlib 174650... DomainNeutral, Native 


MyAssembly 
C:\WINDOWS Microsoft. NetjassemblyjGAC MSILISystemiv4.0 4.0.0.0  b77a5c561934e089!System.dll 
C:\WINDOWS \Microsoft.Net\assembly \GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dll 


C:\WINDOWS \Microsoft.Net\assembly \GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib. dll 
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.NET ASSEMBLIES 


ጆግ mshta.exe (8332) Properties 


General Statistics Performance Threads Token Modules Memory Environment Handles .МЕТ assemblies ,МЕТ performance GPU Comment 


Structure ID Flags Path 


Y CLR v4.0.30319.0 63 CONCURRENT GC, ComActivated 
YV AppDomain: DefaultDomain 174694... Default, Executable 
MyAssembly 174653... 
System 174651... Native WINDOWS Wicrosoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll 
System.Xml 174652... Native C:\WINDOWS \Microsoft.Net\assembly \GAC_MSIL\System.Xml\v4.0_4.0.0.0__b77a5c561934e089\System.Xml.dil 
YV AppDomain: SharedDomain 179115... Shared 
mscorlib 174650... DomainNeutral, Native C:\WINDOWS Microsoft.Net\assembly\GAC_32\mscorlib\v4,0_4,0.0.0__b77a5c561934e089\mscorlib.dil 
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y v A, How did Process 
— Hacker achieve this? 
E А 
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DEEP WITHIN PROCESS HACKER 


Microsoft-Windows-DotNETRuntime 


Microsoft-Windows-DotNETRuntimeRundown 


A set of .NET ETW providers 
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PROOF-OF-CONCEPT 


መጨሙ-- 


LET'S TRY TO DETECT MY ATTACK 


se 
ተ ne 
mi 


Indicators for in-memory Indicators for .NET API 
assembly load related to registry creation 


Indicators for invoking of native АР! 
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IN-MEMORY ASSEMBLY LOAD 


Loading of .NET 
assemblies 


Just In Time 
compilation 
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.NET CODE COMPILATION ARCHITECTURE 


Upon 
| | ЛТ i 
Compile execution Compiler Compile 


=» 


[Compilation time | Runtime 


JIT COMPILATION av ህሪ < COUNTERCEPT 


Events generated 


whenever a .NET 
method is first utilized 
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IN-MEMORY ASSEMBLY LOAD INDICATORS 


Loading of .NET ጭ ( Just In Time 


assemblies compilation 
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IN-MEMORY ASSEMBLY LOAD INDICATORS 


12868, DomainModuleLoad V1, 8x2781978, Manifest ,|MyAssembl 
12068, MethodJittingStarted, @x6145FF4, MyAssembly.Program, 


12068, MethodJittingStarted, 6x6145FF4, Myëssembly. Program, main 


Detect execution of the MyAssembly 
constructor 


<< COUNTERCEPT 


REMEMBER THIS? 


ing MyAssembly; 


Program newProgram = new Program(); 
newProgram.main(); 


In-memory loading of assembly attempts 
to replicate the above behavior 


DETECTION SUMMARY 


Indicators for in-memory Indicators for .NET API 
assembly load related to registry creation 


Message box 


Indicators for invoking 
of native API 


This is a native API imported from user32.dll 
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JIT ETW 


@ Just In Time compilation 


(€ COUNTERCEPT 


устте ሙ > 4 


j 


" 


р 
чах. JIT compilation 


| doesn't occur for 
+ А native .NET assemblies 
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NATIVE .NET ASSEMBLIES? 


System.text 


Console.writeLine() 
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WHY THOUGH? 


Native Image Generator (NGEN) 
compiles .NET assemblies to native 
images, and caches them 
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WHY THOUGH? 


JIT compilation would not occur 


DETECTION SUMMARY 


Indicators for in-memory Indicators for .NET API 
assembly load related to registry creation 


Indicators for invoking 
of native API 
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NET ETW EVENTS LA 


Interop events 
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INTEROP EVENT sk 


Events generated 
during calls made to 


Window's native АР! 
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NATIVE CODE 


Native function imported from User32.dll 
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INTEROP EVENTS 


2044, ILStubGenerated, None, MyAssembly.Program, 
MessageBox 


Detected a call towards MessageBox 


<< COUNTERCEPT 


THIS IS REALLY USEFUL 


en m 


Logging of Credential Other malicious 
keystrokes extraction from activities 
memory 
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DETECTION SUMMARY 


Indicators for in-memory Indicators for .NET API 
assembly load related to registry creation 


Indicators for invoking / 7? 
of native API А 
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REAL WORLD EXAMPLE, SILENTRINITY 
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SILENTRINITY DEMO 


File Edit View VM Tabs Help 


Recycle Bin [Presentation | 


Microsoft Windows [Version 10.0.17134.765] 


Microsoft Windows [Version 10.0.17134.765] ù ! à 
(c) 2018 Microsoft Corporation. All rights reserved. 


(c) 2018 Microsoft Corporation. All rights reserved. 


С: \WINDOWS\system32>MSBuild.exe C:\Users\Wee-jing\Desktop\Presentation\Silen 
trinity\msbuild.xml 

'MSBuild.exe' is not recognized as an internal or external command, 

operable program or batch file. 


С: \WINDOWS\system32>cd C:\Users\Wee-jing\Documents\dotNetDetect 
ion 


С: \Users\Wee-jing\Documents\dotNetDetection>python dotnet-runti 


me-etw.py --disable-rundown-provider --enable-method-tracing 
C:\WINDOWS\system32>cd C:\Windows\Microsoft.NET\Framework64\v4.0.30319 


C:\Windows \Microsoft.NET\Framework64\v4.@.30319>MSBuild.exe C:\Users\Wee-jin 
g\Desktop\Presentation\Silentrinity\msbuild. xml 


ЕУ O Type here to search u Bi a Ё Te] а г 


То direct input to this V 


M, move the mouse pointer inside or press Ctrl+G. 


52 
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. МЕТ TELEMETRIES 


DLL 


.NET runtime .NET ETW 
DLLS events 
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HOW ABOUT OTHER TELEMETRY? 


Recon Execution Control 


» Objective 


Delivery Persistence Lateral 
Movement 


Attacker 
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TO WRAP IT UP 
.NET isn't that invisible 


PowerShell, still 


deadly but..... 
© 
Л 2 


Try it yourself! 


